Event ID 552

Got a question, I keep seeing 2 accounts from 1am to 3am with the following info in the security of the event viewer.  My question is what exactly is this?

The user is "SYSTEM"
Computer = "servername"
Event Details:  Logon attempt using explicit credentials.
  Logged on user:
     Username:  SERVERNAME$
     Domain:      MYDOMAIN
     LogonID:     (0x0, 0x3E7)

  User whose credentials were used:
      Target user name:  first.last
      Target domain:       mydomain
      Target Logon GUID: {a very big number}

  Target server name:  localhost
  target server info:      localhost
  caller process ID:       2464
  Source network addr: 206.51.26.74
  Source port:               56055

So, is this someone who has hacked and got access to the first.last account?  The people I work with won't allow us to require complex passwords at all.

Thanks



LVL 16
Kevin HaysIT AnalystAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BlevinsM3Commented:
There should be another event right next to this one that will tell you what priveledges were used (i.e. delete, change, etc). This will give you a better idea of what this individual is doing. In addition i would check and see what that IP address is (206.51.26.74).
After a cursory look at that server, it appears to be a blackberry.net box. Are you running BES? If so, then i wouldn't worry about it.

Good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kevin HaysIT AnalystAuthor Commented:
Yes, this individual is using a blackberry.

right next to this is the system (user) with the following privileges assigned to the new login.

SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege

Kevin

BlevinsM3Commented:
Yeah, this is fine then. Its just Blackberry calls into the store.
SembeeCommented:
The IP address in that error belongs to RIM - who make Blackberry.

206.51.26.74

So it is the Blackberry service.

Simon.
Kevin HaysIT AnalystAuthor Commented:
Thanks everybody :)

Kevin
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.